Description
Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code
Published: 2026-04-28
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the content creation endpoint of HTMLy version 3.1.1. The application fails to sanitize user input, allowing attackers to inject arbitrary HTML or JavaScript. If exploited, malicious code will run in the browsers of users who view the affected content, potentially leading to session hijacking, defacement, or other malicious actions. This flaw represents a classic cross‑site scripting weakness.

Affected Systems

The affected product is HTMLy, version 3.1.1. No other vendors or products were identified. Users of this specific version are directly impacted.

Risk and Exploitability

The CVSS score is not disclosed, and the EPSS score is unavailable, so the formal severity cannot be computed. However, the flaw is exploitable by any user with access to the image content creation endpoint. Because injected code executes in the victim's browser, the impact is high if the content is publicly viewable. The vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed exploits as of the last update. Nonetheless, the lack of proper input validation presents a significant risk that should be mitigated.

Generated by OpenCVE AI on April 29, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of HTMLy if one has been released by the vendor or community.
  • Sanitize user input on the /add/content?type=image endpoint by removing disallowed tags or using a trusted library such as OWASP Java HTML Sanitizer.
  • Implement a Content Security Policy that restricts inline scripts and eval usage to mitigate any exploitation.

Generated by OpenCVE AI on April 29, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Danpros
Danpros htmly
Vendors & Products Danpros
Danpros htmly

Wed, 29 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting in HTMLy Content Creation
Weaknesses CWE-79

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code
References

Subscriptions

Danpros Htmly
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-28T16:06:20.531Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38949

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-28T19:37:38.937

Modified: 2026-04-28T20:19:13.567

Link: CVE-2026-38949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:11:05Z

Weaknesses